Previous: vnc_generate_server, Up: vnc_generate_cert
If the QEMU VNC server is to use the x509verify
option to validate client
certificates as its authentication mechanism, each client also needs to be issued
a certificate. The client certificate contains enough metadata to uniquely identify
the client, typically organization, state, city, building, etc. On the host holding
the secure CA private key:
# cat > client.info <<EOF country = GB state = London locality = London organiazation = Name of your organization cn = client.foo.example.com tls_www_client encryption_key signing_key EOF # certtool --generate-privkey > client-key.pem # certtool --generate-certificate \ --load-ca-certificate ca-cert.pem \ --load-ca-privkey ca-key.pem \ --load-privkey client-key.pem \ --template client.info \ --outfile client-cert.pem
The client-key.pem
and client-cert.pem
files should now be securely
copied to the client for which they were generated.